An cross-site scripting (XSS) flaw was found in the way Ruby on Rails performed management of safe buffers (certain methods could append unsafe strings to buffers, already containing strings marked as safe without marking the resulting buffer as unsafe). A remote attack could use this flaw to conduct XSS attacks by tricking a local user into visiting a specially-crafted web page. References: [1] http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications (upstream advisory) [2] http://www.openwall.com/lists/oss-security/2011/06/09/2 (CVE request) [3] http://www.openwall.com/lists/oss-security/2011/06/13/9 (CVE assignment) Upstream patches: [4] https://gist.github.com/89d6266cc7875614c5a5 (for v3.1.0.rc1) [5] https://gist.github.com/b2ceb626fc2bcdfe497f (for v3.0.7) [6] https://gist.github.com/392235903426322e0414 (for v2.3.11, specifically the rails_xss plugin)
This issue affects the version of rubygem-activesupport as shipped with Fedora release of 15. Please schedule an update. -- This issue did NOT affect the versions of the rubygem-activesupport package as shipped with Fedora release of 14 and 13. This issue did NOT affect the versions of the rubygem-activesupport package as present within EPEL-6 and EPEL-5 repositories.
Created rubygem-activesupport tracking bugs for this issue Affects: fedora-15 [bug 713694]
Fixed by https://admin.fedoraproject.org/updates/rubygem-activesupport-3.0.5-3.fc15 update.